IPv6 security: a new playing field

Share

It all started in 1993. That’s when the Internet Engineering Task Force launched a call for white papers (via Request For Comments 1550) on "IP: Next Generation”, which would later become IPv6.

At the time, many of us were still just discovering the Internet, IPv4 protocol, and related security issues.

the imminent arrival of IPv6

Almost 20 years later, IPv4 address exhaustion is a reality. IPv6 has officially been launched, and setting up IPv6 networks and services has therefore become a top priority for operators, equipment providers and companies.

But don’t hold your breath: IPv6 is no revolution in terms of security. A cursory reading of the Requests for Comments does make it seem like Internet Protocol Security will be the cornerstone of IPv6 security, but we can’t jump to that conclusion quite yet.

assessing risk with IPv6

If we assume that total security risk equals the sum of “probability x criticality” for each threat, how does IPv6 measure up?

For now, the threats identified for IPv6 do not seem to be evolving very much, so probability is not changing greatly. At the same time, because security products have not fully integrated IPv6 (battery management by the central processing unit as opposed to an Application-Specific Integrated Circuit or ASIC, for example), threats tend to be much more critical.

This all means that IPv6 threats are riskier than IPv4 threats—at least during this transition phase. So just managing a simple Transmission Control Protocol flood can become a total nightmare for network and security admins.

primary IPv6 threats

Take all the IPv4 threats we already know about (spoofing, flooding, denial of service, etc), get rid of a couple (network address translation, Address Resolution Protocol, etc), add a bit of IPv6 (Type 0 Routing Header, IPv4-IPv6 tunneling), and your new technical playing field is up and running.

And don’t forget to train security teams, office teams and users if they will be using IPv6 addresses:

- "Can you confirm that your IP address is 2001:db8:0:85a3::ac1f:8001?"
- "No, it’s 2001:0db8:0000:85a3:0000:0000:ac1f:8001!"

a little more reading

While we wait for more articles to be published on IPv6 security, here is a list of links (the most informative in my opinion) for further reading. I know it’s short, but if you search you’ll see that writing on the topic is pretty repetitive.

essential:

products and services

open call to seasoned experts

Obviously, the above list is anything but exhaustive and should only be used as a starting point for researching the topic.

Any of you who have already done additional reading or research can tell us more and share links in the “comments” section.

image © so47Fotolia.com

Vincent Maurin

I work for Orange Business Services as a security leader within Products and Services Development. My previous jobs as a technical "worker bee" lead me to pay specific attention to the difficulties of implementing companies' security strategies and policies. Security, efficiency and pragmatism are my main pillars.